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Abstract — The essential functionality of any digital 
transaction system is the protection of the anonymity of user 
and the message. Group signature allows any valid group 
member to sign any number of messages on behalf of the 
group without revealing the member identity. A blind signature 
is a cryptographic scheme produces a signature, where the 
digital signature is obtained on a message from a signer 
without revealing any information about the message. In this 
paper we bring in a new cryptographic scheme called a Group 
Blind Digital Signature combines the existing concept of a 
Group Digital Signature and a Blind Digital Signature. This 
scheme is useful in many applications where anonymity is 
very important like evoting and ecash. This blind group 
signature scheme uses the identity based signature in which 
the public key can be derived from any arbitrary unique string. 
This reduces the complexity involved in certificate 
management as compared to the traditional public key 
signature scheme. Moreover, this signature scheme based on 
the bilinear pairings enables utilizing smaller key sizes 

Index Terms — Digital signature, Group Signature, Blind 
Signature, Bilinear Pairing 

I. Introduction 

A Group Blind Digital Signature allows the members of a 
group to digitally sign documents on behalf of a group and 
also the signer is unaware of the message that he is signing. 
The purpose of the digital signature is to enable a person to 
digitally sign the electronic document. The digital signatures 
have the same properties as traditional signatures. The digital 
signatures are easy to generate, easy to verify. However they 
are difficult to forge. To sign a document, private key is used, 
and the public key is used for verification. Digital signatures 
have extensively been used to offer services such as data 
integrity, entity authentication, non-repudiation, and data 
origin authentication. 

A. Group signature 

Group signatures, allows a group member to anonymously 
sign on behalf of the group[5,l 1,12]. Using a single group 
public key, the signatures can be verified. It is impossible for 
anyone to distinguish whether or not two group-signatures 
originated by the same or by a different group member. In the 
case of a disagreement, only the designated group manager 
can open the signature to disclose the identity of the group 
member who issued the given signature. Group signatures[14] 
are publicly verifiable and can be verified with respect to a 
single group public key. 

Group signatures have many applications in the area of 
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privacy protection [7,9]. The most well-known one is trust 
computing. Since the number of applications on the internet 
continues to grow, more and more conventional human 
interactions have been transformed to their electronic 
transactions like email, ecash, evoting, ecommerce, etc[8,13]. 
In the electronic transaction environment the personal privacy 
is a big challenge, like the right of the individual is much less 
or the right to find out the amount of personal information 
which should be available to others is more. 

Privacy is important for many reasons, such as 
impersonation and fraud. It becomes easier for criminals to 
commit fraud as more identity information is collected, 
correlated, and sold. But privacy is more than that, it also 
concerns about the secrecy of which websites we visited, 
the candidates we voted for, etc. Anonymity is one important 
form of privacy protection. 

For some application high level of anonymity can do more 
damage. For example, in some situation one would like to 
have a trusted third party to have the capability to trace 
users after the fact that users have misbehaved, such as 
tracing double-spenders in an electronic cash system. 
Designing secure cryptographic schemes with unconditional 
anonymity is undoubtedly challenging. In practice, anonymity 
diversifies into various forms with different levels of 
anonymity. However, providing the proper level of anonymity 
is sometimes even more challenging. 

B. Blind signature 

With the vast development of electronic commerce, the 
protection of anonymity of users and messages become a 
crucial requirement. The best approach to authenticate any 
e-transactions is the digital signature, which allows a user 
with a public key and a corresponding private key to sign a 
document in such a way that anyone can verify the signature 
on the document, but no one can fake the signature on any 
other document. Blind signatures are the basic tool for 
secured electronic transactions. 

A blind signature is similar to a digital signature, a user 
can obtain a signature from a signer, but at the same time the 
signer of the message does not find out the information about 
the message they signed. Moreover, should the signer ever 
see the document or signature pair, he/she should not be 
able to determine when or for whom he signed it. 

II. Related work 

The first Group Signature proposed by Chaum and van 
Heyst[4]. In this scheme the signer is a member of the group 
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signer's identity is hidden in a group, but the group's iden- 
tity is revealed. Besides the first realization Chaum and van 
Heyst proposed, there are many other schemes emerge in 
recent years. G. Ateniese[8] proposed a group signature 
scheme based on other number theory assumptions with 
better efficiency and stronger security. More researches on 
group signature include group signatures for hierarchical 
multi-groups, group blind signatures, and multi-group sig- 
nature. 

Blind signature was first introduced by Chaum [3], which 
can provide anonymity for users in electronic transactions. 
It allows users to get a signature of a message in a way that 
signer learns neither the message nor the resulting signature. 
Chaum first proposed blind signature scheme was RSA- 
based. The first ID-based blind signature scheme [6] was 
proposed by Zhang and Kim in 2002. After that, there have 
been several proposals for the blind signatures. Many 
research papers provide the details of digital signature 
scheme which comprise blind signature and signcryption 
schemes using identity based cryptography system. In this 
paper, we construct a provably secure ID-based group blind 
signature on the basis of CZK scheme. 

III. Preliminaries 

Here in this section, we briefly present the background 
concepts which help in understanding the Identity-based 
Group Blind signature systems. 

A. Identity Based Cryptosystem 

In recent years the Identity-based cryptosystems are 
becoming popular. The advantage of Identity Based 
Encryption (IBE) system is that users can choose any arbitrary 
string as their public key [1, 15]. IBE goal is to reduce the 
overhead necessary to bring an entity into the crypto system. 
We take some attribute of the entity and use that as a 
functional equivalent to a public key. Thus, a name, an email 
address, or even a binary object such as a picture or sound 
can be considered equivalent to a public key. An IBE system 
can be thought of as a function of the form Ki = IBE(IDi) that 
produces keys from arbitrary bit strings. This reduces the 
overhead of using of certificates [2, 10, 15] in the traditional 
public key infrastructure. 

B. Identity Based Signature Scheme 

In Identity Based Signature Scheme (IBS), the sender 
obtains a private key associated with the unique identity 
information from the PKG Then the sender signs a message 
using the signing key. The verifier uses the sender's identity 
information to verify the signature. For the verifier it is not 
required to get the sender's certificate to verify the key[l]. 
More precisely, an IBS scheme can be described using the 
following steps. 

- Setup: The Private Key Generator (PKG), which is a trusted 
third party, creates its master private and public key pair. 

- Private Key Extraction: The sender authenticates to the 
PKG and obtains a private key associated with the 
identity. 



Signature Generation: Using the private key, the sender 
creates a signature on the message M. 
- Signature Verification: Having obtained the signature 
and the message M from sender, the verifier checks 
whether the signature is a genuine signature on M using 
sender's identity and the PKG's public key. If it is, then 
the receiver accepts the message or otherwise rejects it. 

C. Bilinear Pairing 

Bilinear pairing is an important primitive for many 
cryptographic schemes. Many elegant cryptographic 
schemes have been formulated utilizing the properties of these 
bilinear pairings. 

Let Gj be an additive group of prime order q, generated by 
P and let G 2 be a multiplicative group with the same order q. 
We assume that there is a bilinear map e from GjXGj' ! G 2 with 
the following properties: 

1 ) Bilinearity: 

Which means that given elements, 
Aj ,A 2 , A 3 £ Gj , we have that 
e(Aj + A 2 , A 3 ) = e(Aj,A 3 ) x e(A 2 ,A 3 ) and 
e(A 1 , A 2 + A 3 ) = e(A 1 , A 2 ) x e(A 1 , A 3 ). 
In particular, for e(aA 1? bA 2 ) = e(A 1? A 2 ) ab , a,b s Z*q where Zp 
denotes all positive integer which is less than p. Z*q denotes 
multiplicative group modulo p. 

2 ) Non-degeneracy: 

Which means that there exists A r A 2 s G 1 such that e(Aj A 2 ) 
~L 1 G2 , where 1 G2 is the identity of G 2 . 

3 ) Computability: 

Which means that there exists an efficient algorithm to 
compute e(Al, A2), " Al, A2 eG r 

Decision Diffie-Hellman is easy: The Decision Diffie-Hellman 
problem (DDH). Given aP, bP, cP e G r If we want to decide 
whether cP = abP, we can easily determine by checking e(P, 
cP)=e(aP,bP). 

Computational Diffie-Hellman is hard: The Computational 
Diffie-Hellman problem (CDH). Given P, aP, bP e G r if we 
want to compute abP e G p it is assume to be hard. 

Since the Decision Diffie-Hellman problem (DDH) in Gj is 
easy, we cannot use DDH to build our cryptosystems. 
Instead, the security of our IBE system is based on a variant 
of the Computational Diffie-Hellman assumption (CDH). 

D. Properties of Group Blind Signature 

A secure group signature scheme satisfies the following 
properties: 

1) Anonymity: For given a signature, identifying the real 
signer is infeasible to decide for everyone but the group 
manager. 

2) Blindness: The signer is unable to see the original content 
of message he/she has sign. 

3) Unlinkability: Deciding whether two different signatures 
made by the same signer is computationally hard. 

4) Unforgeability: Only group members can sign messages 
on behalf of the group. 

5) Correctness: Signature produces by a group member must 
be provable. 
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6) No framing: The group members/manager can not sign 
messages for other members. 

7) Traceability: The group manager can always establish the 
identity of the member who issued a valid signature. 

8) Exculpability: Even if the group manager and some of the 
group membersjoin together, they cannot sign on behalf 
of non-involved group members. 

IV. Identity Based Group Blind Signature 

In this paper we investigated the generation of Group 
blind signature with identity based cryptosystem. An identity 
based Group blind signature scheme is an interactive 
procedure allowing Sender to obtain a valid signature for a 
message from a signer without seeing the message or its 
signature. 

In this section we present how an Identity based signature 
scheme can be used to implement an efficient group signature 
scheme. In this scheme all users get a private key from the 
Group Manager using system parameter. This group signature 
scheme involves three types of parties: members, non- 
members and a group manager. It further consists of seven 
algorithms Setup, Member key generation, Join, Signing, 
Verifying, Open, and Signer Tracing as shown in Figure 1 . 
The blind group signature scheme is composed of the 
following procedures: 

Setup: In this algorithm the Group Manager (GM) chooses 
the input of security parameters and a group secret key of 
the group manager and output a group public key. 

Let Gl be acyclic additive group of prime order q 
generated buy P, G2 be a cyclic multiplicative group of the 
same prime order q. A bilinear pairings is a map e: GlxGl -> 
G2. The GM decides on a bilinear pairing e and P an arbitrary 
generator of G r 

- GM selects a Map to point hash function Hj : {0, 1 } * x G 1 

^ Z * and 

q 

- Chooses another cryptographic hash function H 2 : { 0, 1 } * 
xGl^Gl 

- H ,H,are secure one-way hash functions. 

- GM chooses a generator P of Gl 

- Selects a random s a Z * 

q 

- Computes P pnb = sP. 

- Group public key is G pnb = (P, P pnb , e, q, Gl, G2, Hj, H 2 ). 

- GM Secret key is 

- GM publishes the system parameters (G . ) and keeps the 
master key as secret. 

Member key generation: Any group member wants to 
generate his/her member secret key, they uses the interactive 
protocol with the group manager. During which Group 
Manager generates a member certificate on the member secret 
key blindly, i.e., without knowing the secret key value. Any 
group member can generate group signatures using his 
member secret key and member certificate, called group 
signing key. The communication between the GM and the 
group member is secured. To acquire the membership 
certificate, each user must execute the following protocol with 
GM: 
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- The group member with identity ID. selects a random 
number r £ Z q * as the private key. 

- Computes rP and the group member send rP together with 
ZD.toGM. 

- GM computes group member's private key 

S w , = s.H 2 {ID i \\rP) 

- Senas j 10 me group meiiioer via a secure channel. 

- The group member has a private key palY (T,Srn .) ■( 
S w . and rP are pseudo-secret, since UM is no longer 
trustful and it may expose them to other members.) 

- Group member's public key vw i 

= H 2 (JD t \\rP) 

Join: Suppose now that a user wants to join the group 
performs the following protocol and becomes a member of 
the group. 

- User chooses a random **• ^ Z q * 

- Sends [rxP, TP, /Dj, XP] to GM and proves to GM 
that the user knows S m . . 

ID i 

- If GM is convinced that the user knows S Wj and q(xP,TP) 

- GM sends secretly S = sH 2 ( rxP) 

- User has the secret keys x and rx, member key xP, and 
the member certificates (rxP, S). 

Signing: 

This algorithm includes many phases like initializing 
random value, blinding message, signing the blinded message 
and unblinding. 

During initializing phase the signer initializes a random 
value and sends to the user. The user then calculates the 
blinding factore using the random value and other 
parameters. The blinded message is send to the signer for 
signing. After signing the user unblinds the signed message 
by sending the blinding factor to the verifier. 
Signer: 

- Chooses randomly k l "Z* ? 

- computes R= k l • H 2 (rxP) 

- sends 7?^ to the sender. 
Sender: 

- Chooses randomly bfact " Z* ? 

- computes and sends R =R +bfact -P 

- calculates R =H (m,R^ 

- sends R 2 and R 3 to signer 
Signer: 

- computes R=rx • R 3 

- sends R, to sender 

Sender : In this phase the signer blinds the message with the 
blind factor. 

- computes R 5 = R 4 + bfact • P 

- computes R=H(m,R+R^ 

- sends R s to the signer 
Signer: 

- computes R 7 =(k t + RJS 

- sends R ? to sender 
Sender: 

- computes = R g +bfact 'P b 

Thus (RpRpRgrx^) is the ID-based group blind signature 
ofm. 
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Figure 1: Identity based group blind Signature 



To produce a group blind signature, the Sender requires 
three scalar multiplications in G two hash function evaluation. 
The Signer requires to compute three scalar multiplications 
in G and one hash function evaluation. 
Verification: In this algorithm, the receiver verifies the 
signature and recovers the message by using the public 
parameters and the signer's identity. Anyone who knows the 
public key of the signer can verify the validity of signature 
with the given a message m and its identity based group 
blind signature. 

For a given signature (R 2 ,R ? Rg,rx,P) 
computes R^H/nifR^RJ 

- computes H 2 (rxP) 

- verifies if e(R ff P)= e(R 2 +R 6 • H 2 (rxP),P p J is valid. 

Proof of verification: 

e(R g ,P) = e(R 7 +bfact ■ P pub , P) 

= e(R r P) efbfact -P pub P) 

= e((k I+ R 6 )S,P) efbfact ■ P pub P) 

= e((k ]+ R 6 )s H 2 (rxP),P) efbfact ■ P pub P) 

= e(k r s- H 2 (rxP)+ R 6 -s- H 2 (rxP),P) efbfact ■ P pub P) 

= efs -R,+ R 6 -s- H 2 (rxP),P) efbfact ■ P pub P) 

= e(R I+ R 6 ■ H 2 (rxP),sP) efbfact ■ P^P) 
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= e(R 1+ R 6 ■ HJrxP), P J efbfact -P^ P) 
= e(R,+ R 6 ■ HJrxP), PJ efbfact -P PJ 
= e(R ]+ bfact -P+ R 6 H/rxP), PJ 
= e(R 2+ R 6 -H 2 (rxP), P p J 
Open: 

Given a valid group blind signature, Group Manager can 
easily identify the signer. The signer cannot refuse the 
signature after GM gives a zero knowledge proof on given a 
signature o of message m. The group manager can identify 
the originating member by computing Open (master secret 
key, m, signature), which outputs the identity of the member 
who created the signature. 

The group manager knows for each the identity of 
the user that is associated with it. This binding is established 
during the Join phase. As a result, it is easy for a group 
manager, for a given valid group signature, to determine the 
identity of the signer. 

V. Conclusion 

In this paper we proposed a group blind signature scheme 
based on the group signature scheme. Our group blind sig- 
nature scheme is more efficient and secure. The size of the 
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group public key and the group blind signature is indepen- 
dent on the numbers of group members. This method of cryp- 
tographic primitive can be used in secured electronic trans- 
action like ecash and evoting where protecting the anonym- 
ity of the user is very important. This scheme can be the 
alternative for traditional blind signature scheme eliminates 
the need for certificates of public keys required, because 
public keys are generated from the arbitrary unique identity 
information. 
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